RFID Security. April 10, 2006. Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Similar documents

Privacy and Security in library RFID Issues, Practices and Architecture

RFID Security and Privacy: A Research Survey. Vincent Naessens Studiedag Rabbit project

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

A Study on the Security of RFID with Enhancing Privacy Protection

Strengthen RFID Tags Security Using New Data Structure

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

How To Understand The Power Of An Freddi Tag (Rfid) System

RF ID Security and Privacy

RFID SECURITY. February The Government of the Hong Kong Special Administrative Region

Radio Frequency Identification (RFID)

Tackling Security and Privacy Issues in Radio Frequency Identification Devices

How To Hack An Rdi Credit Card

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

The Study on RFID Security Method for Entrance Guard System

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Enabling the secure use of RFID

An Overview of RFID Security and Privacy threats

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Secure Active RFID Tag System

Security and privacy in RFID

Lightweight Cryptography. Lappeenranta University of Technology

Various Attacks and their Countermeasure on all Layers of RFID System

Security in RFID Networks and Protocols

RFID Security: Threats, solutions and open challenges

Back-end Server Reader Tag

Security Issues in RFID systems. By Nikhil Nemade Krishna C Konda

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

RFID Security and Privacy: Threats and Countermeasures

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

RFID BASED VEHICLE TRACKING SYSTEM

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Radio Frequency Identification (RFID) An Overview

On the Security of RFID

WHITE PAPER. ABCs of RFID

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Security in Android apps

Evolving Bar Codes. Y398 Internship. William Holmes

Security and Privacy of RFID Systems. Claude Castelluccia

Authenticity of Public Keys

CSE/EE 461 Lecture 23

Security Issues in RFID. Kai Wang Research Institute of Information Technology, Tsinghua University, Beijing, China

CPSC 467b: Cryptography and Computer Security

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

WHITE PAPER SERIES / EDITION 1 BUSINESS PROCESSES & APPLICATIONS. Low-Cost RFID Systems: Confronting Security and Privacy SOFTWARE & NETWORK HARDWARE

Cisco Trust Anchor Technologies

RFID Penetration Tests when the truth is stranger than fiction

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Security and Privacy in Intermodal Baggage Management With RFID

PAP: A Privacy and Authentication Protocol for Passive RFID Tags

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Network Security and Surveillance

Time & Access System An RFID based technology

CRYPTOGRAPHY AS A SERVICE

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Location-Aware and Safer Cards: Enhancing RFID Security and Privacy

Security and Privacy in Identification and Mobile Payments

RFID Guardian Back-end Security Protocol

SECURITY FLOWS AND IMPROVEMENT OF A RECENT ULTRA LIGHT-WEIGHT RFID PROTOCOL

E-Book Security Assessment: NuvoMedia Rocket ebook TM

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

tags Figure D-1 Components of a Passive RFID System

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Data Protection Technical Guidance Radio Frequency Identification

Blaze Vault Online Backup. Whitepaper Data Security

Feature. Security and Privacy Trade-offs in RFID Use. Operational Zone RFID Tag. RFID Reader

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

CRYPTOGRAPHY IN NETWORK SECURITY

A Secure RFID Ticket System For Public Transport

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

Securing your Online Data Transfer with SSL

What Do We Really Mean By Security for RFID

Modern Multipurpose Security Management System

Using RFID Techniques for a Universal Identification Device

SSL A discussion of the Secure Socket Layer

Digital Signatures on iqmis User Access Request Form

Radio Frequency Identification (RFID) Vs Barcodes

Security Requirements for RFID Computing Systems

RFID Guardian Back-end Security Protocol

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Cryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010

Implementation of biometrics, issues to be solved

VoteID 2011 Internet Voting System with Cast as Intended Verification

RFID based Bill Generation and Payment through Mobile

INVENTORY MANAGEMENT SYSTEM USING RFID FOR FSKKP LABORATORY IN UMP. JESSICA OLIVIA ANAK SIMON PAtE

An Overview of Approaches to Privacy Protection in RFID

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Security and Privacy in RFID Applications

Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

Lab 7. Answer. Figure 1

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Implementing high-level Counterfeit Security using RFID and PKI

IMPROVISED SECURITY PROTOCOL USING NEAR FIELD COMMUNICATION IN SMART CARDS

Analyzing the Security Schemes of Various Cloud Storage Services

Transcription:

April 10, 2006 Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark 1

Outline What is RFID RFID usage Security threats Threat examples Protection Schemes for basic and advanced tags The future Literature 2

Plenty of information 3

What is RFID Radio Frequency IDentification RFID System Tags Readers Backend servers 4

RFID System Tag (transponder) Chip Antenna Small chip and antenna Unique serial number inexpensive(7.5cents) Cryptography is possible in more advanced(expensive) tags. Symmetric key Public key Hashing 5

RFID System Tag types passive(hf, UHF) powered by reader and transmits a response Very small(chip 0.15mm 0.15mm, Antenna size of a stamp) Read distances ranging from 2mm 5m semi passive, active(small battery) Self powered active tags are fully self powered semi passive only powers it's circuit size of a coin larger ranges (>10 meters) 6

RFID Systems Reader (transceivers) Read/Write data on tag Communicates with back end system 7

RFID System Backend server Stores information about tags can perform necessary data computations links tag ids to more rich data 8

RFID usage Replacement of bar codes. EPC(Electronic Product Code) tags combined with Auto ID gives unique serial numbers to items. Animal tracking Payment systems Toll payment at Storebæltsbroen (BroBizz) Stockholm road pricing Anti theft Anti forgery 9

RFID usage Access control Supply chain Inventory Control Logistics Retail shops Human implants Libraries Etc... 10

Security threats Eavesdropping Cloning Spoofing Tracking DOS 11

Threat examples Someone checking whats in your bag Cloning access control badges gives access to unauthorized personal in buildings/cars. Harvesting id's from store shelfs makes it possible to calculate how much is sold from the store. Tracking a persons movement, violating the concept of location privacy 12

Protection Schemes for basic tags Killing/Sleeping using PIN Special device incorporated in shopping bag. If killed it's not usable in smart home devices. Collection of id's Tag is sending a different id at each reader query Reader stores all id's, and can therefore identify the tag. To avoid harvesting id's, slow down responses when queried too quickly Readers can refresh id's 13

Protection Schemes for basic tags Encrypting id, public/private key ID on tag encrypted with the banks public key Bank can decrypt with private key to avoid tracking, re encrypt periodically by El Gamal which gives a different cipher text. Tag E pk (S) tag transmits E pk (S) re encrypt Bank holds SK Reader 14

Hash Lock Protection Schemes for advanced tags Locked tag only transmits metaid. Unlocked can do all operations. Locking mechanism. 1) Reader R selects a nonce and computes metaid=hash(key). 2) R writes metaid to tag T. 3) T enters locked state. 4) R stores the pair (metaid, key). 15

Hash Lock Protection Schemes for advanced tags unlocking mechanism. 1) Reader R queries Tag T for its metaid. 2) R looks up (metaid,key). 3) R sends key to T. 4) if (hash(key) == metaid), T unlocks itself Spoofing attack is possible, but can be detected. 16

Protection Schemes for advanced tags Symmetric key tags C = E k (M) Challenge response protocol 1) Tag identifies itself by transmitting T 2) Reader generates a nonce N and transmits it to the tag 3) Tag computes and returns C = E k (N) 4) Reader checks that C indeed is equal to E k (N). 17

Protection Schemes Symmetric key tags for advanced tags If implemented in the right way, almost impossible to break. In practice resource constraints leads to bad implementations. 18

Protection Schemes for advanced tags The Digital Signature Transponder(DST) from TI(texas Instruments) Theft protection in cars. Used in SpeedPass TM (payment device to ExxonMobil petrol stations) Performs a challenge response protocol. C = E k (R), where R is 40 bits, and C is 24 bits, secret key k is 40 bits. The short key is vulnerable to brute force attack. TI did not publish the encryption algorithm E, security by obscurity. Cracked in 2004!! 19

Protection Schemes for advanced tags Man in the middle attack Almost any security application of RFID, involves a presumption of physical proximity. Can bypass any cryptographic protocol Phone equipped with a GPS receiver could sign outgoing messages. RFID Leech Long distance Ghost Reader 20

The future More and more RFID tags in new applications D.O.S. becomes a larger problem Cheaper tags makes it possible to build in more advanced cryptography for the same money Probably don't replace bar codes completely because of the cost(5 cent tag on a 29 cent chocolate bar). 21

Literature Ari Juels, RSA Laboratories: and Privacy: A Research Survey RSAlabs page on rfid: http://www.rsasecurity.com/rsalabs/node.asp?id=2115 Wikipedia: http://en.wikipedia.org/wiki/rfid Stephen August Weis: Security and Privacy in Radio Frequency Identification Devices http://www.rfidjournal.com/ 22